The annotated tag, talloc-2.4.1 has been created at 07be14a36896de8f1a31e768853c3b8e1dcb306e (tag) tagging 791e2817e13182344447590313f7e372a27c1d48 (commit) replaces tevent-0.14.1 tagged by Stefan Metzmacher on Thu Jul 20 12:47:51 2023 +0200
- Log ----------------------------------------------------------------- talloc: tag release talloc-2.4.1 -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5ENcACgkQR5ORYRMI QCWEHAgAtXcN3rjitPAt42/P2i0t1d58H/pK3K+aju6R4a8AEtavzFQCUq0A95jU UQvp1e3xzu2T7MUqC+x8TCbCk7ggmnq7WN+UHtkJrcTJ9xTnnzVQvsI8TEAJ2Ccc UFtuxfLre/MDfHni+HMI5qiRvOuh/0zvYPaMWZZHPT9450kdt2FuxzqS6yl9Al6L TeP32fB+cXy5ZqVh01MmlkSUnfmWYsBtb4mjr4l7tX5aAjO3uyY1n+qvQD3MpVgh 7JiZZLD4UXmoTKjwLf+jvdS8TWDnFhFHr+9zh0QyYYjVIUDncnvT3dwDMWefISxQ ihNjlET+Ct64y73vdvFAmFk7cGNksA== =GEZE -----END PGP SIGNATURE----- Alexander Bokovoy (2): Add ROLE_IPA_DC into two more places wafsamba: Normalize strings in gdb output when comparing ABI Amir Goldstein (4): s4:torture:basic: fix SET_INFO_* macros in delayed_write_update* lib: add NTTIME_[U|m]SEC macros s4:torture:basic: use milliseconds granularity in delayed_write_update7 torture/smb2: do not use client time in delayed timestamp updates test Andreas Schneider (266): s3:libsmb: Remove unused variable 'i' s3:smbd: Don't assign variable to itself s3:rpcsrv:eventlog: Remove unused variable s3:winbind: Remove unused variable s4:samdb: Remove trailing whitespaces s4:samdb: Remove unused variable nsswitch: Fix getting data out of pam_get_data() lib:ldb-samba: Correctly handle search scope s3:printing: Remove trailing whitespaces in vlp.c s3:printing: Remove unused variable s3:modules: Ignore -Wunused-but-set-variable for autogenerated code s4:modules: Move structs with dynamic arrays to end of struct s3:modules: Initialize pointer with NULL s3:netapi: Remove unused variables s3:utils: Remove unused variable s3:torture: Remove unused variable waf: Add support for MemorySanitizer lib:ldb: Add the location to ldb_kv_parse_data_unpack() debug output lib:ldb: Print a debug message in case we have a corrupted MDB testprogs: Use random usernames for kinit tests testprogs: Use random usernames for export keytab tests testprogs: Use random user names for kpasswd tests python:tests: Correctly escape $ in user_edit.sh python:tests: Use a random username for user_edit.sh tests python:tests: Correctly escape $ in contact_edit.sh python:tests: Use a random username for contact_edit.sh test python:tests: Correctly escape $ in computer_edit.sh python:tests: Use a random machine name for computer_edit.sh test python:tests: Make sure we do not run into issues with already existing users python:tests: Fix domain_backup test with Python 3.11 python:tests: Tell dns.resolver to not read /etc/resolv.conf python:tests: Add missing result checks for samba_tool.gpo tests python:tests: Make sure we delete the OU for movetest s3:utils: Check if the autorid rangesize is a multiple of the range s3:winbind: Improve warning message if we are out of autorid ranges python:netcmd: Decode return value of find_netbios() from bytes into string lib:ldb: Correctly cast pointers for assert_string_equal() ctdb:client: Fix code spelling ctdb:common: Fix code spelling ctdb:include: Remove trailing whitespaces in ctdb_protocol.h ctdb:include: Fix code spelling ctdb:server: Remove trailing whitespaces in ctdb_recover.c ctdb:server: Remove trailing whitespaces in ctdb_server.c ctdb:server: Fix code spelling ctdb:tcp: Fix code spelling ctdb:tests: Fix code spelling ctdb:tool: Fix code spelling ctdb:utils: Remove trailing whitespaces in scsi_io.c ctdb:utils: Fix code spelling s3:utils: Fix grammar in testparm auth: Fix code spelling buildtools: Fix code spelling examples: Remove trailing whitespaces in ol-schema-migrate.pl examples: Remove trailing whitespaces in mklogon.conf examples: Fix code spelling examples: Remove trailing whitespaces in smb.conf.default examples: Improve comment in smb.conf.default s3:libsmb: Remove trailing whitespaces in clientgen.c s3:libsmb: Fix conflicting declaration/implementation s3:waf: Fix One Definition Rule (ODR) violation of libsecrets3 Add .clangd configuration file buildtools: Remove compile_commands.json symlink lib:talloc: Move talloc_get_size() out of the talloc reference group lib:addns: Rename additionals to additional lib:addns: Fix code spelling lib:audit_logging: Fix code spelling lib:cmdline: Fix code spelling lib:compression: Fix code spelling lib:crypto: Improve comment about weak crypto lib:dbwrap: Fix code spelling lib:fuzzing: Fix code spelling lib:krb5_wrap: Fix code spelling Fix spelling in README.Coding.md bootstrap: Fix spelling in README.md ctdb:doc: Fix code spelling docs-xml: Fix spelling in manpages docs-xml: Fix spelling in smb.conf manpage docs-xml: Fix spelling in Samba-Developers-Guide lib:ldb:common: Fix code spelling lib:ldb:include: Fix code spelling lib:ldb:ldb_key_value: Fix code spelling lib:ldb:ldb_map: Fix code spelling lib:ldb:ldb_sqlite3: Fix code spelling lib:ldb:nssldb: Fix code spelling lib:ldb:tests: Fix code spelling s3:selftest: Move the smbget share to the provision function s3:selftest: Move samba3.blackbox.smbget to ad_member s3:selftest: Pass REALM to samba.blackbox.smbget s3:tests: Also clear the download area in smbget msdfs_link test s3:tests: Add domain and UPN test for smbget s3:tests: Add smbget msdfs link test with domain and UPN s3:utils: Always cleanup when leaving smbget main() s3:utils: Add support for parsing domain/UPN in username for smbget s3:tests: Use long options for smbget in test_smbget.sh s3:utils: Use common command line parser for smbget docs-xml: Update smbget manpage docs-xml: Remove smbgetrc manpage s3:utils: Correctly wire encryption for smbget s3:tests: Add encryption test for smbget s3:utils: Correctly wire Kerberos support for smbget s3:tests: Add kerberos test for smbget s3:tests: Add a kerberos trust test for smbget s3:tests: Add test with testdenied_...@realm.upn auth: Remove trailing white spaces in credentials.h auth: Remove trailing white spaces in credentials_ntlm.c auth: Add cli_credentials_is_password_nt_hash() s3:utils: Correctly wire NT hash support for smbget s3:utils: s3:utils: Correctly wire winbind ccache support for smbget Update WHATSNEW.txt lib:ldb:tests: Fix signedness build error s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain s3:tests: Use the CONFIGURATION passed down to the test s3:tests: Correctly implement tests for forceuser/forcegroup s3:tests: Use CONFIGURATION passed down to the test s3:tests: Add exit code with failed tests s4:torture: Remove trailing white spaces s4:torture: Fix warning messages for smb.raw.session s4:torture: Fix warning messages for smb2.session s4:torture: Extend smb2 session requested_life_time testprogs: Fix running export.keytab heimdal test s4:tests: Reformat kerberos tests s4:selftest: Use smbclient3 for kinit tests s4:selftest: Use ad_dc environment for kinit tests testprogs: Correctly set configuration in test_kinit_mit.sh testprogs: Correctly set configuration in test_kinit_heimdal.sh testprogs: Pass configuration to test_export_keytab_heimdal.sh testprogs: Pass configuration to test_export_keytab_mit.sh testprogs: Specify the KRB5CCNAME on the command line testprogs: Pass configuration to test_kpasswd_heimdal.sh testprogs: Pass configuration to test_kpasswd_mit.sh s4:selftest: Reformat samba4.blackbox.password_settings s4:selftest: Use ad_dc env for samba4.blackbox.password_settings testprogs: Pass configuration to test_password_settings.sh testprogs: Remove UID_WRAPPER_ROOT export testprogs: Pass configuration to test_kinit_trusts_heimdal.sh testprogs: Pass configuration to test_kinit_trusts_mit.sh s4:selftest: Reformat samba4.blackbox.rfc2307_mapping s4:selftest: Move rfc2307_mapping test to ad_dc nsswitch:tests: Use configuration variable passed to test_rfc2307_mapping.sh testprogs: Reformat test_kinit_heimdal.sh testprogs: Fix shell arithmetic in test_kinit_heimdal.sh testprogs: Use common binary detection functions in test_kinit_heimdal.sh testprogs: Reformat test_kinit_mit.sh testprogs: Fix shell arithmetic in test_kinit_mit.sh testprogs: Merge kinit tests into a single script for MIT and Heimdal testprogs: Remove unused test_kinit_(heimdal|mit).sh testprogs: Reformat test_kinit_trusts_heimdal.sh testprogs: Reformat test_kinit_trusts_mit.sh testprogs: Fix shell arithmetic in test_kinit_trusts_mit.sh testprogs: Fix shell arithmetic in test_kinit_trusts_heimdal.sh testprogs: Merge kinit trust tests into a single script for MIT and Heimdal testprogs: Remove unused test_kinit_trusts_(heimdal|mit).sh testprogs: Reformat test_export_keytab_heimdal.sh testprogs: Fix shell arithmetic in test_export_keytab_heimdal.sh testprogs: Reformat test_export_keytab_mit.sh testprogs: Fix shell arithmetic in test_export_keytab_mit.sh testprogs: Merge export keytab tests into a single script for MIT and Heimdal testprogs: Remove unused test_export_keytab_(heimdal|mit).sh python:tests: Correctly skip some GPO tests in release tarball s3:libads: Remove executable bit from ldap.c Makefile: Fix spelling ctdb: Fix code spelling docs-xml: Fix spelling dynconfig: Fix code spelling examples: Fix spelling lib:ldb: Fix code spelling lib:messaging: Fix code spelling lib:param: Fix code spelling lib:pthreadpool: Fix code spelling lib:replace: Fix code spelling lib:replace: Fix snprintf of rep_inet_ntop() lib:replace: Remove trailing white spaces in xattr.c lib:replace: Fix code spelling lib:smbconf: Fix code spelling lib:socket: Fix code spelling lib:talloc: Fix code spelling lib:tdb: Fix code spelling lib:tevent: Fix code spelling lib:tsocket: Fix code spelling lib:util: Remove trailing white spaces in byteorder.h lib:util: Fix code spelling s3:tests: Create a temporary directory for test_veto_files.sh s3:tests: Add test that veto files works for hidden files s3:lib: Do not try to match '.' and '..' directories in is_in_path() s3:libsmb: Mark smbc_set_credentials() as deprecated s3:utils: Use smbc_set_credentials_with_fallback() for smbget s3:libsmb: Also deprecate smbc_init() s3:client: Remove unused tree.c python:tests: Skip the source_chars test if not a git dir lib:krb5_wrap: Fix debug statements when princ_s is NULL dfs_server: Fix debug statement if searched_site is NULL s3:torture: Remove trailing white spaces in locktest2.c s3:torture: Fix possible array out of bounds access selftest:knownfail: Update S4U knownfail for MIT KRB5 1.20 gitlab-ci: Update Fedora to version 38 s3:lib: Move ad_unpack() debug message to notice level s3:lib: Give better warnings about corrupted AppleDobule files libcli:auth: Fix code spelling libcli:drsuapi: Fix code spelling libcli:ldap: Fix code spelling libcli:security: Fix code spelling libcli:smb: Fix code spelling python:tests: Adopt safe_tarfile for extraction_filter raises python:safe_tarfile: Set extraction_filter for pythons providing it python:safe_tarfile: Implement safer extractall() python:safe_tarfile: Improve safe extract() testprogs:subunit: Fix assigning an array to a string testprogs:subunit: Fix integer comparisons testprogs: Do not export UID_WRAPPER_ROOT in test_samba-tool_ntacl.sh testprogs: Do not export UID_WRAPPER_ROOT in test_net_ads_dns.sh testprogs: Do not export UID_WRAPPER_ROOT in test_pdbtest.sh testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_mit.sh testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_heimdal.sh testprogs: Do not export UID_WRAPPER_ROOT in test_net_rpc_oldjoin.sh s3:tests: Do not export UID_WRAPPER_ROOT in test_net_machine_account s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_dead_rec.sh s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_cross_node.sh s3:winbind: Fix talloc parent in find_dc() leading to a segfault libcli:smbreadline: Fix code spelling libgpo:admx: Fix code spelling librpc:idl: Fix code spelling librpc:ndr: Fix code spelling librpc:rpc: Fix code spelling nsswitch: Fix code spelling packaging:systemd: Fix code spelling pidl: Fix code spelling python:samba:emulate: Fix code spelling python:samba:gp: Fix code spelling python:samba:gp_parse: Fix code spelling python:samba:kcc: Fix code spelling python:samba:netcmd: Fix code spelling python:samba:provision: Fix code spelling python:samba:samba3: Fix code spelling python:samba:subunit: Fix code spelling python:samba:tests: Fix code spelling python:samba: Fix code spelling third_party: Update socket_wrapper to version 1.4.2 python:tests: Fix code spelling script: Fix code spelling selftest: Fix code spelling s3:auth: Fix code spelling s3:auth: Use new debug macros for logging s4:client: Fix code spelling s3:include: Fix code spelling examples: Make codespell happy examples: Fix code spelling python: Fix code spelling python:tests: Fix code spelling s3:include: Remove trailing whitepaces in MacExtensions.h s3:include: Fix code spelling s3:lib: Fix code spelling s3:libads: Fix code spelling s3:libsmb: Fix code spelling example: Remove outdated config files from tridge examples: Remove outdated validchars wscript: Fix code spelling s3:librpc: Fix code spelling s3:locking: Fix code spelling s3:modules: Remove trailing white spaces of vfs_hpuxacl.c s3:modules: Remove trailing white spaces of README.nfs4acls.txt s3:modules: Remove fruit:ressource option with incorrect spelling s3:modules: Fix code spelling s3:nmbd: Fix trailing white spaces in nmbd.c s3:nmbd: Fix trailing white spaces in nmbd_incomingdgrams.c s3:nmbd: Fix trailing white spaces in nmbd_incomingrequests.c s3:nmbd: Fix code spelling Andrew Bartlett (86): s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc() tsocket: Increase tcp_user_timeout max_loops selftest/drs: Demonstrate ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time script/autobuild: Use python logger to print times on log lines to aid in debugging. script/autobuild: Use --verbose to control python logger verbosity script/autobuild: Use logger.debug() for debug messages (visible with --verbose) librpc/idl: Explain why PAC_TYPE_CLIENT_CLAIMS_INFO is not directly decoded selftest: Add python test that verifies that we can parse a PAC pidl: Allow variable expansion (eg of a value() attribute) in compression_alg argument lib/compression: Add helper function lzxpress_huffman_max_compressed_size() lib/compression: Fix documentation of lzxpress_huffman_compress() ndrdump: Allow a long string of hexidecimal digits as well as a hex dump for --hex-input librpc: Remove incorrect NDR_COMPRESSION dependency from NDR_KRB5CCACHE librpc/ndr: Remove incorrect comment that ndr_compression.h is autogenerated librpc/ndr: Unimplement DRSUAPI_COMPRESSION_TYPE_XPRESS and rename libndr/ndr: Add NDR_COMPRESSION_INVALID libndr/ndr: Remove unused argument from ndr_push_compression_{start,end}() librpc/ndr: Add a "NONE" compression format to libndr librpc/ndr: Implement lzxpress_huffman() compression in libndr for Kerberos Claims pidl: Automatically manage creating and freeing the compression state in generated code librpc/ndr: Make ndr_push_compression_state_free() a talloc destructor librpc/ndr: Use libndr compression for claims sefltest: Extend python NDR parsing tests to compressed and uncompressed claims selftest: Add test parsing krb5 PAC claims via ndrdump CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL dsdb/tests: Move SD modification on class-created objects to classSetUp dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test lib/util: Add "debug syslog format = always", which logs to stdout in syslog style selftest: Use "debug syslog format = always" in selftest s3-client: Provide more information on protocol negotiation failures pytest:sddl Samba had the wrong value for FA, now fix the tests pytest:sddl: show the correct handling of the "FA" SDDL flag librpc: Fix talloc hierarchy for ndr_compression_state librpc: Always call ndr_push_compression_state_init() for compression python: Move helper functions for functional levels into a new file samba-tool domain provision: Use common functional_level.string_to_level() param: Add new parameter "ad dc functional level" python: Add function to get the functional level as a python intger from smb.conf samba-tool domain join: Allow "ad dc functional level" to change which selftest: Move linked_attributes test to ad_dc selftest environment Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008 selftest: Return fl2008dc to being an alias for ad_dc_ntvfs selftest: Allow provision_ad_dc() to take functional_level as an argument selftest: Change ad_dc environment to be 2016 functional level librpc/idl: Merge missing bits into nbt_server_type in nbt.idl librpc/idl: Use nbt_server_type instead of netr_DsR_DcFlags netlogon.idl librpc/idl: Alias the DS_ constants in netlogon.idl to the NBT_SERVER equivilants selftest: Assert that we have a trust in samba.tests.getdcname selftest: Rework samba.tests.getdcname not to use ncalrpc selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work selftest: Change self.assertTrue(x is not None) -> self.assertIsNotNone(x) selftest: Fix remaining incorrect references to 2012 -> 2012R2 FL in GetDCNameEx test sefltest: Improve getdcname test by confirming the _REQUIRED flag behaviours librpc: No longer consider the DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED bits as invalid s4-libads: Confirm newer functional levels in check_cldap_reply_required_flags() s3-libads: Also handle the DS_WEB_SERVICE_REQUIRED flag in check_cldap_reply_required_flags() s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable selftest: Split up tests in dsdb.py to avoid creating a user when not required dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used dsdb: Add routine to check the DB vs lp functional levels python/tests: Make helpful, stateless methods @classmethod and @staticmethod selftest: Add unit tests of the DC startup FL check/update code s4-server: Call dsdb_check_and_update_fl() during startup transaction. samba-tool: Fix missing import for "domain level raise --forest-level=2016" WHATSNEW: Mention new default schema and Functional Level prep Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c build: Set minimum required GnuTLS version to 3.6.13 crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2() Remove check for gnutls_set_default_priority_append as it unused Remove rudundent check for gnutls_pkcs7_get_embedded_data_oid as we now require GnuTLS 3.6.13 Remove rudundent check/workaround for buggy GnuTLS 3.5.2 as we now require GnuTLS 3.6.13 Remove rudundent check and fallback for AES CFB8 as we now require GnuTLS 3.6.13 crypto: Remove aesni-intel accelerated AES crypto functions Remove redundant check and fallback for AES CMAC 128 as we now require GnuTLS 3.6.13 build: Remove unused check for SHA1_Update and SHA1_RENAME_NEEDED libcli/smb: Remove unused fallback case for ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM WHATSNEW: Update minimum GnuTLS version Björn Baumbach (18): testprogs: fix some "net ads dns" tests testprogs: net ads dns tests: remove test user after usage. testprogs: adapt return values of testit_expect_failure_grep and testit_grep_count to function description testprogs: use uniqe names in "net ads dns" tests to avoid conflicts testprogs: remove only used dns records in "net ads dns" tests testprogs: use more unique names in "net ads dns" tests testprogs: remove used records in "net ads dns" tests testprogs: net ads dns: do not increase the $failed counter in "net ads dns" when test is OK testprogs/blackbox/test_net_ads_dns.sh: verify test results ($failed) testprogs/blackbox/test_special_group.sh: verify test results ($failed) testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh: verify test results ($failed) net: add new --dns-ttl option to specify the ttl of dns records docs: documentation for new net --dns-ttl option testprogs: add test for new net ads dns register --dns-ttl option net: add hint which options can be used with net ads dns register command docs: fix a typo in history file samba-tool: add new --dns-directory-partition option to dns zonecreate command samba-tool: print default (domain) for --dns-directory-partition option in help message Björn Jacke (22): smbcacls/smbcquotas: check for valid UNC path docs-xml: remove completely outdated Samba-Developers-Guide nmbd: use DBG_ macros and raise some log levels nmbd_sendannounce.c: use DBG* macros instead of static log level numbers nmbd/asyncdns.c: use DBG* macros instead of static log level numbers nmbd_become_lmb.c: use DBG* macros instead of static log level numbers oplock_linux.c: use DBG macros instead of static log level dns_update.c: use DBG* macros instead of static log level numbers smbXsrv_session.c: use DBG* macros instead of static log level numbers smb2_service.c: use DBG* macros instread of static log level numbers dcesrv_drsuapi.c:use DBG* macros instead of static log level numbers smbXsrv_tcon.c: use DBG* macros instead of static log level numbers vfs_default.c: use DBG* macros instead of static log level numbers winbindd_cache: adjust some debug levels to more appropriate severities winbindd_cache.c: move some some notice messages from ERR to NOTICE level winbindd_cache.c: use DBG* macros instead of static log level numbers garbage_collect_tombstones.c: move info log message to appropriate level garbage_collect_tombstone.c: use DBG* macros instead of static numeric log levels tallocmsg.c: move info log message to appropriate level wb_dsgetdcname.c: don't use statis log level numbers wb_dsgetdcname.c: move common message to higher log level wb_dsgetdcname: log also the domain name for failures Christof Schmitt (7): librpc: Fix compile error for libnet_join.idl debug: Only initialize gpfs wrapper when gpfs logging is enabled ctdb-recovery: Use correct struct ban_node_state type for state gpfswrap: Add wrapper for gpfs_register_cifs_export vfs_gpfs: Register smbd process with GPFS vfs_gpfs: Check error from gpfswrap_lib_init vfs_gpfs: Move call to load GPFS library David Disseldorp (1): s3:modules: call rpcgen only if vfs_nfs4acl_xattr is enabled David Mulder (20): gp: samba-tool gpo cse register/unregister/list gp: Test samba-tool gpo cse register/unregister/list gp: Log ext failure with file and line number gp: gp_sudoers_ext warn w/out visudo installed samba-tool: Clarify cse register command file dest samba-tool: Subclass GPOCommand for calling samdb_connect samba-tool: Test that modifying GPO increments GPT.INI vers samba-tool: Ensure modifying GPO increments GPT.INI vers gpupdate: Test that PAM Access uses winbind separator gpupdate: Use winbind separator in PAM Access Policies smbd: Ensure share root POSIX attrs are cleared after mode_fn gp: Fix NameError: free variable 'cron_dir' in Crontab CSE gpupdate: Implement get_gpo_list in python gpupdate: Deprecate libgpo.get_gpo_list gpo: Group Policy tests require a s3 loadparam Add a WHATSNEW entry indicating libgpo py deprecation gp: Add site-dn fallback when rpc call fails gp: get_gpo() should re-raise the Exception, not return gp: sshd policy correctly sort policy gp: Fix user apply failure when droping privs Dmitry Antipov (8): lib:util: prefer mallinfo2() over mallinfo() if available s4:libnet: cleanup py_net_time() lib:registry: drop unused argument of reg_open_remote() s4:lib:policy: cleanup and handle errors in push_recursive() lib:ldb: do not offset against NULL pointer in ldb_ldif_read() s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list() lib:util: prefer size_t for random data generation functions pyglue: use Py_ssize_t in random data generation functions Douglas Bagnall (82): ldb/pyldb: remove py2 ifdefs s4/ndr/py_misc: remove python 2 ifdefs s4/ndr/py_security: remove python 2 ifdefs tdb/pytdb: remove py ifdefs tdb/pytdb: remove useless HAVE_ITER non-flag tevent/pytevent: remove py2 ifdefs tevent/pytevent: remove no-op define pidl: avoid py compile issues with --pidl-developer s4/wmi: begone talloc: remove Python 2 #if clauses s4: remove unused lib/com/* CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user lib/fuzzing: add fuzzer for sddl_parse librpc/ndr/pysecurity: use better exceptions pytest:upgradeprovision: don't use misleading SDDL in tests librpc/py_security: exception message blames the bad SID pytest:sid_strings: same timestamp for all tests in the run pytest:sid_strings: use hashed instead of random unique numbers pytest:sid_strings: add a superclass, allowing for derivatives pytest:sid_strings: allow other errors to be specified pytest:sid_strings: add explicit S-1-* sid tests pytest:sid_strings: separate out expected_sid formatting pytest:sid_strings: test the strings with local parsing pytest:sid_strings: Windows and Samba divergent tests pytest:sid_strings: test SIDs as search base pytest:sid_strings: test SID DNs with ldb parsing pytest:sid_strings: do bad SIDS work in search filters? pytest:sid_strings: Do bad SIDs fail differently in simple-bind? libcli/security/dom_sid: remove a couple of lost comments libcli/security: avoid overflow in revision number libcli/security: stricter identauth parsing libcli/security: avoid overflow in subauths libcli/security/dom_sid: hex but not octal is OK for sub-auth libcli/security/dom_sid: use (unsigned char) in isdigit() libcli/sec/sddl decode: don't ignore random junk. libcli/sec/sddl decode: allow hex numbers in SIDs pytest:sddl: test empty DACL with flags lib/sec/sddl: allow empty non-trailing ACL with flags libcli/security: allow decimal/octal numbers in SDDL access mask libcli/security: disallow sddl access masks greater than 32 bits libcli/security: ace type is not enum not flags libcli/security: do not pad sddl flags with zeros test:bb/samba-tool ntacl: let return acl flag lack hex padding s3:test_larg_acl: adapt for the canonical ACE flags format pytest:ntacls: adapt for canonical flag format py:provision: use canonical representation of ACE flags pytest:samba-tool ntacl: expect canonical ACE flag format pytest:posixacl: expect canonical ACE flag format pytests/sddl: clarify boundaries between sddl cases pytest/sddl: give test more of a name pytest/sddl: remove duplicate test case pytest/sddl: assert sddl string equality pytest/sddl: rework to allow multiple lists, no early stop pytest/sddl: remove unused imports pytest/sddl: split tests into canonical and non-canonical pytest:sddl: tweak some test strings pytest:sddl: split each string into it's own test pytest:sddl: allow tests to make negative assertions pytest:sddl: Add negative tests of unparseable strings pytest:sddl: SDDL strings where Windows behaviour differs libcli/security: SDDL parse tests to run on Windows pytest:sddl: helpers to exchange SDDL strings with Windows testprogram pytest:sddl: let hex numbers differ in case (0xa == 0xA) pytest:sddl: add tests for long DACLs, differing flag interpretations s3:torture:LOCAL-IDMAP-TDB-COMMON: avoid talloc stacktrace s3:torture: sid2unixid2: DEBUG blames the right function libcli:security: sddl_map_flags rejects trailing nonsense libcli/security: sddl_decode_access rejects trailing rubbish libcli:security: sddl_decode_ace: don't allow junk after SID pytest:sddl debugging: should_fail test says how it failed pytest:sddl: tests around spaces in access flags and SIDs libcli:security:sddl_decode_access allows spaces between flags pytest:sddl: test we only accept normal GUIDs pytest:large_ldap: use a valid ACE libcli:security:sddl: accept only 8-4-4-4-12 GUIDs libcli/security/tests: test strings for windows and samba SDDL tests configure: ensure sizeof(int) >= 4 lib/fuzzing: add fuzz_sddl_access_check lib/fuzzing: add fuzzer for arbitrary token/sd access checks lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant lib/fuzzing: adapt fuzz_sddl_access_check for AD variant lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds Günther Deschner (1): s3-net: no secrets access required when processing a ODJ provisioning Helmut Grohne (1): Skip running a C program during cross compilation Jelmer Vernooij (1): Add a git-blame-ignore-revs file Jeremy Allison (23): s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). s3: provision: Add new streams_xattr_nostrict share - needs "strict rename = no". s3: tests: Add new test_stream_dir_rename.sh test. s3: smbd: Fix fsp/fd leak when looking up a non-existent stream name on a file. tests: Add samba3.blackbox.zero_readsize test. s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size. s3: smbd: Cleanup - don't set the FLAGS2_DFS_PATHNAMES in flags2 in the glue struct if it's not a DFS server or share. s3: smbd: Cleanup. smb2_file_rename_information() can never have a @GMT path in the destination. s3: smbd: Duplicate smb_file_link_information() hardlink handling as smb2_file_link_information(). s3: smbd: In smb2_file_link_information(), don't ever expect @GMT tokens in the pathname. s3: smbd: Change smb2_file_link_information() to use srvstr_pull_talloc()/check_path_syntax_smb2(). s3: smbd: Add utility function smb2_strip_dfs_path(). s3: smbd: Remove all DFS path prefixes before passing to check_path_syntax_smb2(). s3: smbd: Add assertion to filename_convert_dirfsp_nosymlink() that shows SMB2 is *never* dealing with a DFS path here. s3: smbd: Remove 'is_dfs' parameter to check_path_syntax_smb2(). s3: smbd: Remove unused and commented out check_path_syntax_smb2_msdfs(). s3: smbd: In smb_file_link_information() and smb_file_rename_information() the target path is never DFS. s3: smbd: Remove now unused dfs_filename_convert(). s3: smbd: Fix dumb typos that meant smb1.SMB1-DFS-* tests were running against an SMB2-only fileserver. s3: smbd: Flatten the check_path_syntax_smb2() wrapper. s3: smbd: Add check_path_syntax_smb2_posix(). s3: smbd: Correctly set smb2req->smb1req->posix_pathnames from the calling fsp on SMB2 calls. s3: smbd: Correctly process SMB3 POSIX paths in create. John Mulligan (7): vfs_ceph: use fsp_get_pathref_fd in ceph fstatat and close vfs calls vfs_ceph: split ceph mount logic into a new function vfs_ceph: cache ceph mounts based on share configuration params vfs_ceph: add support to select ceph file system doc/vfs_ceph: update confusing default hint for ceph:user_id param doc/vfs_ceph: document ceph:filesystem parameter python:join: fix reused variable name in provision func Jones Syue (2): smbd: remove comments about deprecated 'write cache size' s3:utils: smbget fix a memory leak Joseph Sutton (619): tests/krb5: Declare supported encryption types of service account s4:torture: Zero-initialise netr_NetworkInfo structure s4:torture: Skip over asserted identity SIDs when comparing groups auth.idl: Add auth_SidAttr type libcli/security: Add auth_SidAttr utility functions s4-dsdb: Add samdb_result_dom_sid_attrs() auth: Store group attributes in auth_user_info_dc s4:torture: Assert that group attributes match auth: Exclude resource groups from a TGT auth: Remove early return from make_user_info_dc_pac() auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups() s4-dsdb: Make sid_list_match() static s4: Add 'const' to some parameters tests/krb5: Remove tests of KDCs without resource SID compression support tests/krb5: Improve assertion failure message tests/krb5: Add some more test cases for PAC group handling tests/krb5: Allow changing the SID of a user's PAC tests/krb5: Add group tests simulating PACs from a trusted domain tests/krb5: Allow setting or resetting PAC flags tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling s4:torture: Make use of torture_assert_sid_equal() named_pipe_auth: Bump info5 to info6 auth: Pass through entire PAC flags value in auth_user_info s4:kdc: Add resource SID compression auth: Shorten long SID flags combinations auth: Make more liberal use of SID index constants ldap: Cut down on string substitution ldap: Make use of LDB_OID_COMPARATOR constants s4-dsdb: Simplify search expression auth: Align integer types tests/krb5: Add tests for the primary group s4:torture: Remove assertion that primary group is not duplicated in user_info_dc s4-dsdb: Use correct primary group SID in token group test auth: Correct primary group handling selftest: Expect setting domain-local group as primary group to fail s4/dsdb/samldb: Disallow setting a domain-local group as a primary group tests/krb5: Move _test_samlogon() to base class tests/krb5: Allow tests to set SamLogon validation level tests/krb5: Return validation structure from _test_samlogon() tests/krb5: Test groups returned by SamLogon auth: Discard non-base SIDs when creating SamInfo2 tests/krb5: Use consistent ordering for etypes auth: Free empty SID arrays tests/krb5: Refactor decode_service_ticket() tests/krb5: Lazily fetch SamDB in get_default_enctypes() tests/krb5: Request only supported encryption types in get_tgt() tests/krb5: Remove client_as_etypes parameter tests/krb5: Move get_target() to base class tests/krb5: Refactor claims tests to use get_target() tests/krb5: Fix typo tests/krb5: Fix typo tests/krb5: Refactor setup_groups() to admit multiple preexisting principals and primary groups tests/krb5: Remove unused constant tests/krb5: Move some utility functions from group_tests to base class tests/krb5: Support nested SID structures in map_sids() tests/krb5: Move ticket_with_sids() to base class tests/krb5: Avoid duplicate group members tests/krb5: Refactor out map_to_sid() tests/krb5: Add map_to_dn() tests/krb5: Generate more readable string representation tests/krb5: Split out setup_claims() tests/krb5: Permit modifying claim attributes mid-test tests/krb5: Add tests adding a user to a group prior to a TGS-REQ tests/krb5: Fix typo source3/wscript: Fix configure-time checks tests: Fix old-style function definitions s4-dsdb: Make array static nsswitch: Fix CID 1518966 Resource leaks (RESOURCE_LEAK) s4:dnsserver: Check all records, not just one lib:ldb: Fix typo lib:pyldb: Throw error on invalid controls selftest: Fix invalid escape sequences s3:modules: Fix invalid escape sequences wscript: Fix invalid escape sequences samba_version.py: Avoid resource leak selftest: Don't use invalid escape sequences python/samba: Avoid resource leak s4:samba_spnupdate: Avoid resource leak s4:samba_dnsupdate: Avoid resource leaks selftest: Fix typo s4:samba_spnupdate: Fix typo gp: Avoid shadowing import gp: Don't use invalid escape sequences samba-tool: Don't use invalid escape sequences auth/credentials: Fix off-by-one buffer write python/samba/common: Fix typos python/schema: Fix conversion to UTF-8 string auth/credentials: Fix typos lib:cmdline: Fix typo pytest/samba_tool_drs: Convert bytes to UTF-8 string pytest/samba_tool_drs: Remove unused variables pytest/samba_tool_drs_no_dns: Remove unused variables pytest/samba_tool_drs_critical: Remove unused variables pytest/ridalloc_exop: Remove unused variables pytest/replica_sync: Remove unused variable pytest/repl_rodc: Remove unused variable pytest/repl_move: Remove unused variables pytest/getnc_exop: Remove unused variable pytest/delete_object: Remove unused variables torture/backupkey: Fix flapping test torture/backupkey: Fix possibly wrong typo'd array index s3:rpc_server/netlogon: Fix typo tests/krb5: Remove unused import tests/krb5: Unconditionally check compressed claims tests/krb5: Allow comparing UnorderedLists only with one another tests/krb5: Add type to expect a value is one of a set of possible types tests/krb5: Move some claims tests around tests/krb5: Fix typo tests/krb5: Split out device info checking into new method tests/krb5: Make arguments to get_target() keyword arguments tests/krb5: Allow creating accounts supporting claims or compound identity separately tests/krb5: Document and tidy up existing claims tests tests/krb5: Test more descriptive security descriptor tests/krb5: Allow group_setup to be None in setup_groups() tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid() tests/krb5: Test we get correct values for integer syntax claims tests/krb5: Add test for compressed claim tests/krb5: Allow adding members to a group and changing its type in a single operation tests/krb5: Don't specify extra enctypes for the krbtgt tests/krb5: Allow creating a target server account with or without compound ID support tests/krb5: Overhaul check_device_info() tests/krb5: Add tests for device info tests/krb5: Add tests for device claims tests/krb5: Remove old device info and device claims tests ldb: Make ldb_msg_remove_attr O(n) s4-dsdb:tests: Fix AD DC performance tests s4-dsdb:tests: Correctly handle LdbError python:ndr: Use f-string to format exception message tests/krb5: Generate full ticket signatures with trailing RODC id tests/krb5: Cache drsuapi connection tests/krb5: Only add AES enctype bits at domain functional level 2008 and above tests/krb5: Add simple resource-based constrained delegation test tests/krb5: Fix additional_details account creation caching tests/krb5: Move issued_by_rodc() to base class tests/krb5: Add signed_by_rodc() tests/krb5: Let ticket_with_sids() create RODC-issued tickets tests/krb5: Add remove_client_claims_tgt_from_rodc() tests/krb5: Add tests for constrained delegation with RODC-issued tickets tests/krb5: Add tests for RODC-issued armor tickets tests/krb5: Test that RODC-issued claims are regenerated tests/krb5: Test that RODC-issued device groups are regenerated tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set tests/krb5: Check that test parameters are not going unseen tests/krb5: Add functions to fetch the schemaIDGUID of an attribute or class tests/krb5: Test that denied attributes are still issued in claims selftest: Don't use invalid escape sequences selftest: Clean up socket when finished wafsamba: Remove unused configure check winbindd: Show warning message on tc connection errors too dsdb periodic: DNS: Add missing newlines to debug messages auth: Clear EXTRA_SIDS flag if no Extra SIDs are present s4:kdc: Replace 'is_untrusted' with 'is_trusted' s4:kdc: Comment parameter names s4:kdc: Make some parameters const s4:kdc: Fix typo s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer() s4:kdc: Avoid copying data if not needed s4:kdc: Refactor PAC handling s4:kdc: Add client claims blob if it is present libcli/security: Reorder SDDL access flags table to match Windows ldb: Don't create error string if there is no error s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty libcli/security: Correctly handle ACL deletion s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() s4:kdc: Have samba_kdc_update_pac() take device parameters s4:kdc: Don't check PAC-OPTIONS claims-supported bit s4:kdc: Don't modify cached user_info_dc SIDs s4:kdc: Fix leak s4:kdc: Rename claims_blob to client_claims_blob s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions s4:kdc: Fix typo third_party/heimdal: Import lorikeet-heimdal-202303200103 (commit 2ee541b5e963f7cffb1ec4acd1a8cc45426a9f28) third_party/heimdal_build: Remove MD2 s4:kdc: Split verifying a PAC out of updating it ldb: Split out ldb_val_as_dn() helper function ldb: Add ldb_val -> bool,uint64,int64 parsing functions s4:dsdb/schema: Add dsdb_attribute_by_cn_ldb_val() s4:kdc: Add utility functions for AD claims libcli/security: Add dom_sid_has_account_domain() to confirm a S-1-5-21 prefix tests/krb5: Don't expect client claims to be missing s4:torture: Assert that SID parsing succeeds s4:torture: Make use of torture_assert_sid_equal() s4-dsdb: Account for Claims Valid SID in tokenGroups selftest: Account for have_fast_support in determining whether FAST is supported s4:kdc: Add support for AD client claims s4:kdc: Add support for AD device claims librpc/ndr: Fix NULL pointer dereference tests/krb5: Check only for the canonical representation of a security descriptor tests/krb5: Add methods to get authentication policy DNs tests/krb5: Add method to create an authentication silo tests/krb5: Add method to create authentication silo claim tests/krb5: Add tests for constructed (authentication silo) claims s4:kdc: Allocate claim value on values context CVE-2023-0614 libcli/security: Make some parameters const CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently CVE-2023-0614 s4-acl: Make some parameters const CVE-2023-0614 ldb: Add functions for handling inaccessible message elements CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated CVE-2023-0614 ldb:tests: Ensure all tests are accounted for CVE-2023-0614 ldb: Add function to take ownership of an ldb message CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message CVE-2023-0614 ldb: Add function to add distinguishedName to message CVE-2023-0614 ldb: Add function to filter message in place CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place() CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr() CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf() CVE-2023-0614 s4-acl: Split out function to set up access checking variables CVE-2023-0614 ldb: Prevent disclosure of confidential attributes CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it CVE-2023-0614 ldb: Use binary search to check whether attribute is secret CVE-2023-0614 ldb: Centralise checking for inaccessible matches CVE-2023-0614 ldb: Filter on search base before redacting message CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed ldb: Use correct member of union s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values tests/krb5: Remove unused variable tests/krb5: Fix comment indentation s4-dsdb:large_ldap: Fix typos in variable names s4-dsdb:large_ldap: Correctly increment count variable s4-dsdb:large_ldap: Fix disabled test s4-dsdb:large_ldap: Assert that we got all the entries s4-dsdb:large_ldap: Note that we don't check that an error was raised pytest/acl: Remove unused remnants of source4/dsdb/tests/python/acl.py samba-tool domain: Initialise variables before attempting to use them s4:kdc: Remove unused parameter s4:kdc: Allocate memory on a temporary context s4:kdc: Fix typos in comments s4:kdc: Fix typos talloc: Put comment back in appropriate place talloc: Remove unneeded va_copy() ldb: Remove old misleading comments ldb: Remove misleading comment ldb: Don't wrongly claim to return message elements ldb: Fix function documentation to be consistent ldb: Avoid undefined pointer arithmetic s4/dsdb/util: Make some arrays static s4-dsdb: Remove is_attr_in_list() s4-dsdb: Check correct ldb opaque variable s4/dsdb/cracknames: Remove unneeded attribute s4-acl: Make parameter const posix_acls: Don't skip ACEs in merge_default_aces() s4-drs: Don't skip over elements in uref_del_dest() pysmbd: Fix typo in error message librpc/ndr: Add missing newlines to error messages ctdb:tool: Remove unnecessary strlen() pyldb: Handle allocation failure libndr: Handle allocation failure smbd/notify: Handle allocation failure s3:net_usershare: Handle allocation failure s4-dsdb: Handle allocation failure s3:net_usershare: Correctly escape newline in error message testprogs: Fix comparison testprogs: Make testit_expect_failure() return 0 on success nsswitch:tests: Remove unused functions testprogs: Make test_smbclient_expect_failure() return 0 on success testprogs: Return correct status code testprogs: Make test_rpcclient_expect_failure_grep() return 0 on success testprogs: Have testfail() return 0 on success s3:script: Always return a non-zero status code on failure testprogs: Return correct status code s3:tests: Correct condition s3:selftest: Enable winbindd for maptoguest environment s4:torture: Fix typo selftest: Fix typo s4:rpc_server: Handle LDB_ERR_NO_SUCH_ATTRIBUTE when deleting group s4:rpc_server: Ensure EnumDomainUsers() doesn't return a NULL array s4:torture: Correctly zero structure s4:torture: Don't try to close the connection after running disconnect tests lib/torture: Don't overwrite test outcomes selftest: Only run clusteredmember tests if ctdb is built selftest: Fix samba3.clustered.smb2.deny.deny2 test selftest: Catch error codes from failing testsuites s3:utils: Use floating-point arithmetic when result is assigned to a double s3:utils: Use ‘int’ for popt parameters s3:utils: Move error-handling code into more suitable spot (CID 1524680) auth/credentials: Allow resetting bind DN on Credentials object tests/krb5: Split out functions for testing logons and password changes tests/krb5: Remove test for OemChangePasswordUser2() tests/krb5: Pass client credentials down into kdc_exchange_dict tests/krb5: Handle NT hashes being disabled tests/krb5: Generify protected users test methods tests/krb5: Add method to create an authentication policy tests/krb5: Allow creating an account with an assigned policy or silo tests/krb5: Remove unneeded assertions s4:dsdb: Fix leak tests/krb5: Remove unused import tests/krb5: Always heed the add_dollar parameter libds: Add Managed Service Accounts well-known GUID pydsdb: Add Managed Service Accounts GUID constant tests/krb5: Allow creating managed service accounts tests/krb5: Test that the salt for a managed service account is computed correctly tests/krb5: Remove unused parameter tests/krb5: Fix parameter default tests/krb5: Allow setting a servicePrincipalName on a user account lib/http: Remove unused structure python/samba: Fix invalid escape sequence param: Fix resource leak lib:util: Fix undefined bitshift tests/krb5: Refactor _test_samlogon() auth/credentials: Fix NULL dereference docs-xml: Fix typos s4:kdc: Use correct target principal name in log message tests/krb5: Delete non-resuable accounts as soon as possible tests/krb5: Create account cache key only if needed s4:kdc: Fix typo s4/scripting/bin: Fix resource leak s4/scripting/bin: Remove unused imports tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’ tests/krb5: Rename ‘objectclass’ to use correct case tests/krb5: Allow specifying an encoded security descriptor tests/krb5: Make use of check_tgs_reply() tests/krb5: Make _tgs_req() more configurable s4:kdc: Remove unused parameter s3:lib: Fix typos auth/credentials: Add set_nt_hash() tests/krb5: Have set_forced_key() also set the NT hash tests/krb5: Add remove_attribute() helper function tests/krb5: Don’t delete silo until all tests have finished tests/krb5: Improve _test_samr_change_password() method lib:addns: Don’t call memcpy() with a NULL pointer s4:kdc: Don’t call memcpy() with a NULL pointer build:wafsamba: Fix TypeError in read_submodule_status() samba-tool domain provision: Use "ad dc functional level" to control max functional level s4:dsdb:tests: Refactor ACL test s4:dsdb:tests: Refactor confidential attributes test s4:dsdb:tests: Refactor security descriptor test samba-tool domain: Use result of setup_local_server() instead of object field samba-tool domain: Remove unnecessary variable pytest/password_lockout: Remove unused imports pytest/password_lockout: Use more specific assertion methods pytest/password_lockout: Use correct variable pytest/password_lockout: Remove unused variables s4-dsdb:large_ldap: Remove unused imports s4-dsdb:large_ldap: Remove unused variables auth: Return status code if configuration prohibits NTLM python:tests: Remove unused variables python: Safely clear structure members samba-tool domain: Run in interactive mode if no args are supplied netlogon:schannel: Fix typo s4-auth: Log correct function name s4:auth: Check ldb_binary_encode_string() return value s4:dsdb: Check ldb_binary_encode_string() return value s4:dsdb: Fix leaks s4:dsdb: Check return value of allocation functions s4:torture: Replace calls to deprecated function samba-tool domain: Remove unused variables samba-tool domain: Clean up code tests/krb5: Remove unused import tests/krb5: Improve edata checking tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data netlogon:schannel: Fix NULL pointer dereference tests/krb5: Rename ‘server’ to ‘dc_server’ tests/krb5: Allow specifying machine credentials to _test_samlogon() tests/krb5: Allow server and workstation accounts to perform a SamLogon tests/krb5: Allow specifying whether PA-DATA types are to be checked tests/krb5: Add tests for authentication policies s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant s4:kdc: Include missing headers libcli: Add missing include s4:kdc: Add missing includes and declarations s4:kdc: Factor out PAC blob functions into new source file s4:kdc: Fix typos s4:kdc: Fix debugging strings s3:utils: Fix typo auth: Remove unnecessary return statements s4:auth: Split out new function to generate a security token s4:auth: Fix typos s4:kdc: Make use of auth_generate_security_token() s4:kdc: Fix leaks s4:kdc: Remove double-free s4:kdc: Remove double-free s4:kdc: Check ldb_dn_new() return value s4:kdc: Fix error messages s4:kdc: Fix diagnostic messages auth: Correct parameter order in header auth: Fix leaks s4:auth: Fix leak s4:auth: Remove superfluous semicolon lib:audit_logging: Add function to add flags to a JSON message lib:audit_logging: Add function to add an optional boolean value to a JSON message lib:audit_logging: Add function to add a formatted time value to a JSON message lib:audit_logging: Fix typo in log message s4:kdc: Add NTSTATUS strings to log messages s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure s4:kdc: Add helper functions for authentication policies third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag s4:kdc: Make maximum lifetime and renew time signed s4:kdc: Look up authentication policies for Kerberos clients and servers s4:kdc: Enforce TGT lifetime authentication policy s4:kdc: Have get_claims_for_principal() take the entire principal s4:kdc: Don’t perform unnecessary search to get account objectClass s4:kdc: Make use of dsdb_search_one() s4:kdc: Add support for constructed claims (for authentication silos) s4:kdc: Use talloc_get_type_abort() tests/krb5: Be less particular about expected status codes for S4U tests tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests tests/krb5: Set expected_status even if expect_status is not true s4:kdc: Use more suitable type for final_ret s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure third_party/heimdal: Import lorikeet-heimdal-202305170245 (commit 9c903d03c31ec96af79e2723e3ae41890dd83122) s4:kdc: Add NTSTATUS e-data to KDC reply s4:kdc: Remove manual addition of error data tests/krb5: Move modify_requester_sid_time() to RawKerberosTest tests/krb5: Use consistent time between get_KerberosTime() calls tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter tests/krb5: Rename modify_requester_sid_time() to modify_lifetime() tests/krb5: Add tests presenting short-lived ticket in various scenarios third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0) s4:kdc: Check lifetime of correct ticket s4:kdc: Note correct constant pyglue: Fix typo pyglue: Check generate_random_str() return value pyglue: Raise an exception on error s4/messaging/py: Remove incorrect function names in messaging.Messaging() s4/messaging/py: Document lp_ctx parameter of messaging.Messaging() s4/messaging/py: Add more helpful error message for a wrongly-sized tuple s4/messaging/py: Fix typo s4/messaging: Return the number of previously-registered functions that are removed s4/messaging/py: Fix leaks s4/messaging/py: Fix leak s4/messaging/py: Fix callback return value leak s4/messaging/py: Check py_return_ndr_struct() return value s4/messaging/py: Fix leak of p_server_id s4/messaging/py: Fix leaks s4/messaging/py: Fix typo selftest: Report better error message if environment is unknown s4:kdc: Allocate user_info_dc->sids on correct talloc context s4:auth: Allocate user_info_dc->sids on correct talloc context s4:kdc: Make functions static s4:kdc: Make parameters const s4:kdc: Use talloc_steal() rather than talloc_reference() lib:audit_logging: Check return value of json_new_object() lib:audit_logging:tests: Check return value of json_new_{object,array}() s3:utils: Check return value of json_new_object() audit_tests: Check return value of json_new_array() s4:kdc: Move parameter comments adjacent to parameters tests/audit_log: Pre-compile GUID regex tests/auth_log_winbind: Expect an empty remote address tests/auth_log: Don’t silently override remoteAddress tests/auth_log: Call setUpClass() method of base class tests/auth_log: Rename ‘self’ parameter to ‘cls’ tests/auth_log: Simplify isRemote() pyldb: Fix leak pytest: dcerpc/dnsserver: Remove unused import pytest: dcerpc/dnsserver: Call setUpClass() method of base class s4-dsdb:large_ldap: Call setUpClass() method of base class tests/krb5: Move TestCaseInTempDir to more appropriate place in class hierarchy tests/krb5: Don’t cache accounts with an assigned policy or silo tests/auth_log: Pre-compile GUID regex tests/audit_log: Correctly check for GUID tests/auth_log: Correctly check for GUID tests/auth_log: Rename ‘self’ parameter to ‘cls’ tests/auth_log: Rename ‘self’ parameter to ‘cls’ tests/audit_log: Remove unneeded len() call tests/auth_log: Remove unneeded len() call tests/auth_log: Correctly get lp_ctx tests/audit_log: Make discardMessages() more reliable tests/auth_log: Expect no messages when changing a non-existent user’s password tests/auth_log: Make discardMessages() more reliable tests/auth_log: Call discardMessages() on class tests/audit_log: Remove unnecessary checks tests/auth_log: Remove unnecessary check tests/audit_log: Add missing call to tearDown() tests/auth_log: Add missing call to tearDownClass() tests/auth_log: Remove debugging code librpc/idl: Fix indentation samba-tool domain: Handle new NBT_SERVER_* flags net_ads: Handle new NBT_SERVER_* flags s4:torture: Handle new NBT_SERVER_* flags s4:torture: Consistently use NBT_SERVER_* flags s4:rpc_server/samr: Log correct authentication description for samr_ChangePasswordUser2() python:tests: Fix f-strings python:tests: Exclude Python test directories python:tests: Remove unused imports python:tests: Initialize global variable python:tests: Make script executable python:tests: Ensure that we don’t overwrite tests libcli: Don’t call memcpy() with a NULL pointer tests/auth_log: Factor out isRemote() selftest: Assert trust realm is not None pyldb: Raise an exception if ldb_dn_get_parent() fails pyldb: Check for allocation failure in py_ldb_dn_get_parent() samba-tool: Fix typo samba-tool ou: Remove unused import samba-tool ou: Remove unused variables param: Remove reference to unrecognized parameter ‘directory name cache size’ selftest: Fix typo selftest: Remove duplicate knownfails s4/scripting/bin: Add NT_STATUS_OK to list of definitions tests/auth_log: Make samba.tests.auth_log test executable tests/auth_log: Properly expect authentication failures s4:kdc: Don’t log authentication failures as successes s4:kdc: Consolidate assignments to r->error_code and final_ret librpc/idl: Add authentication policy event IDs tests/krb5: Keep track of the type of each created account tests/krb5: Cache created authentication policies tests/krb5: Test authentication logging of TGT lifetimes tests/krb5: Add a couple of authentication policy tests tests/krb5: Fix overlong lines tests/krb5: Keep track of account SIDs tests/krb5: Make use of KerberosCredentials.get_sid() s4:kdc: Fix typo tests/krb5: Remove unneeded ‘dn’ parameter tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies tests/krb5: Test authentication with policy restrictions and a wrong password tests/auth_log: Add method to fetch the next relevant message from the messaging bus tests/auth_log: Refactor waitForMessages() to use nextMessage() auth: Move authn_policy code into auth subsystem s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds s4:kdc: Add structure containing authentication policy auditing information s4:kdc: Add helper functions to create optional int64 values s4:kdc: Add functions to create structures of auditing information for authentication policies s4:kdc: Add getter functions for authn_audit_info s4:kdc: Add function to perform an authentication policy access check with a device s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’ s4:kdc: Generate auditing infomation for NTLM device restrictions s4:kdc: Add function to perform an access check to a service lib:audit_logging: Add function to create JSON object containing auditing information auth: Add new ‘KDC Authorization’ log type tests/auth_log: Add support for new ‘KDC Authorization’ log type tests/auth_log: Ensure tests continue to pass when new log types are added s4:kdc: Log TGS-REQs in the Heimdal KDC s4:auth: Enforce device restrictions for NTLM authentication s4:auth: Enforce machine authentication policy for NTLM authentication s4:auth: Remove unneeded ‘sam_ctx’ parameter tests/krb5: Test that FX-COOKIE matches cookie returned by Windows third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) s4:kdc: Replace FAST cookie with dummy string s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs tests/krb5: Improve authentication policy creation tests/krb5: Test more authentication logging of TGT lifetimes tests/krb5: Test authentication policy audit logging netcmd: domain: Fix typo python:tests: Fix typos lib:audit_logging: Add function to return the JSON null object auth: Add functionality to log client and server policy information s4:auth: Set ‘authoritative’ even if there is an error s4:auth: Add audit info parameters to check_password_recv() s4:auth: Log authentication policies for NTLM authentication s4:kdc: Add functionality to log client and server authentication policies s4:kdc: Add helper function to determine whether authentication to a server is allowed s4:kdc: Add helper function to determine whether a device is allowed to authenticate s4:kdc: Make krb5_principal parameters const s4:kdc: Add singular out path to samba_kdc_update_pac_blob() s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code s4:kdc: Log errors in samba_kdc_update_pac_blob() s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters s4:kdc: Have samba_kdc_update_pac_blob() do less s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc() s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case s4:kdc: Unify common code paths s4:kdc: Flip sense of condition s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged s4:kdc: Create a temporary talloc context on which to allocate s4:kdc: Use talloc_get_type_abort() netcmd: domain: Fix typo tests/auth_log_pass_change: Fix flapping test tests/krb5: Add test for authenticating with disabled account and wrong password third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280) s4:kdc: Update Samba KDC plugin to match new Heimdal version s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event s4:kdc: Remove unused ‘server’ parameter in pac_verify() tests/krb5: Don’t unnecessarily specify ‘id’ tests/krb5: Fix RBCD comments tests/krb5: Test that client policies are not enforced with S4U s4:kdc: Add comment stating that policies aren’t looked up for S4U clients s4:kdc: Check authentication policy device restrictions s4:kdc: Check authentication policy server restrictions s4:kdc: Enforce authentication policy service restrictions when getting a PAC s4:kdc: Remove unnecessary NULL check s4:kdc: Make [client,device]_claims_blob const pointers s4:kdc: Add comment to clarify that we fetch the client claims s4:kdc: Don’t overwrite error code third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325) s4:kdc: Initialize pointers with NULL s4:kdc: Remove useless sdb → hdb error code translation tests/krb5: Be less strict regarding acceptable delegation error codes tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses s4:kdc: Implement Heimdal hook for resource-based constrained delegation s4:kdc: Include default groups in security token librpc:ndr: Fix overflow in ndr_push_expand librpc/nbt: Avoid reading invalid member of union tests/krb5: Remove unused variables s4:kdc: Fix wrong debug message tests/krb5: Add PKINIT error codes tests/krb5: Add PKINIT typed data errors tests/krb5: Add PKINIT pre-authentication types tests/krb5: Add PK-INIT ASN1 definitions and include licence tests/krb5: Refactor encryption type selection tests/krb5: Add helper methods for PK-INIT testing tests/krb5: Allow KerberosCredentials to have associated RSA private key tests/krb5: Add PK-INIT testing framework tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer tests/krb5: Remove unused methods tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070) tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT tests/krb5: Test Windows 2000 variant of PK-INIT third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde) third_party/heimdal_build: Make Heimdal version strings const s4:kdc: Add auth_data_reqd flag to SDBFlags tests/krb5: Factor out a method to create a certificate tests/krb5: Factor out a method to fetch the CA certificate and private key tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key tests/krb5: Allow passing a pre-created certificate into _pkinit_req() tests/krb5: Add a test for PK-INIT with a revoked certificate third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) Li Yuxuan (2): audit_logging:tests: Add big_int test for `json_add_int` audit_logging: Use `json_int_t` instead of `int` for `json_add_int` value type Martin Schwenke (20): ctdb-scripts: Reformat script with "shfmt -w -p -i 0 -fn" ctdb-scripts: Do not replace commas with spaces in "smb ports" list ctdb-scripts: Avoid using testparm to process its own output ctdb-tools: Avoid ShellCheck warning SC2317 ctdb-scripts: Avoid ShellCheck warnings SC2317, SC2086 ctdb-tests: Avoid ShellCheck warning SC2086 ctdb-tests: Drop unused test code for tunables ctdb-tests: Reformat with "shfmt -w -p -i 0 -fn" ctdb-tests: Drop unreachable code ctdb-tests: Avoid ShellCheck warnings SC2046, SC2005 ctdb-tests: Avoid ShellCheck warning SC2059 ctdb-tests: Avoid ShellCheck warnings ctdb-tests: Run ShellCheck on event-script unit test support scripts ctdb-logging: Really make NOTICE the default debug level ctdb-tools: Fix a typo in a log message ctdb-tools: Switch tickle ACK sending message to INFO level ctdb-server: Avoid logging a count of 0 resent calls docs-xml: Fix rid idmap backend documentation docs-xml: Tweak autorid idmap backend documentation docs-xml: Fix script idmap backend documentation Nathaniel W. Turner (1): dsgetdcname: do not assume local system uses IPv4 Noel Power (3): s3/utils: value for ace_flags value "FA" is incorrect s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rights s3/utils: avoid erronous NO MEMORY detection Pavel Filipenský (32): auth/credentials: Fix trailing whitespaces auth/credentials: Fix unitialized data Add gitleaks configuration file to avoid false positives s3:winbind: Fix wrong string zero termination for empty groups testprogs: Set PREFIX_ABS before it is used in test_primary_group.sh s3:script: Add samba-log-parser docs-xml:manpages: Add man page for samba-log-parser WHATSNEW.txt: Improved winbind logging and samba-log-parser s3:winbind: Fix trailing whitespace in winbindd_msrpc.c s3:winbind: Fix trailing whitespace in winbindd_reconnect.c s3:winbind: Fix trailing whitespace in winbindd_cache.c s3:winbind: Add lookup_aliasmem to winbindd_methods and implement it in all backends s3:winbind: Add wbint_LookupAliasMembers to winbind interface s3:winbind: Add wb_alias_members_{send/recv} s3:winbind: Convert wb_group_members_send() to resolve array of groups lib:dbwrap: Fix trailing whitespace in lib/dbwrap/dbwrap.h lib:dbwrap: Add dbwrap_merge_dbs() s3:winbind: s/wb_group_members_send/wb_alias_members_send/ for SID_NAME_ALIAS in wb_getgrsid_sid2gid_done() s3:winbind: Remove SID_NAME_ALIAS code from rpc_lookup_groupmem() s3:winbind: Include local groups in _wbint_QueryGroupList s3:winbind: Fix the default group for the 'Guest' user s4:torture: Skip test_membership_user for users that get incorrectly assigned group sid selftest: set 'winbind expand groups = 10' for ad_member_idmap_rid tests: Fix idmap.rid.getgrnam for ad_member_idmap_rid with 'winbind expand groups = 10' s3:selftest: Add environ parameter to plansmbtorture4testsuite s3:selftest: Pass environ to local.nss s4:torture: Limit run of test_membership_user() only to ad_member_idmap_rid testprogs: Add test_alias_membership third_party: Update nss_wrapper to version 1.1.15 s3:tests: Add rpcclient 'dfsgetinfo' test s3:rpc_server: Initialize consumedcnt to 0 in _dfs_GetInfo() s3:rpc_server: Fix double blackslash issue in dfs path Ralph Boehme (41): mdssvc: fix kMDScopeArray parsing s3: smbd: Add utility function smb1_strip_dfs_path(). smbd: use smb1_strip_dfs_path() in reply_ntcreate_and_X() smbd: use smb1_strip_dfs_path() in call_nt_transact_create() smbd: use smb1_strip_dfs_path() in reply_ntrename() smbd: use smb1_strip_dfs_path() in reply_ntrename() smbd: use smb1_strip_dfs_path() in reply_checkpath() smbd: use smb1_strip_dfs_path() in reply_getatr smbd: use smb1_strip_dfs_path() in reply_setatr() smbd: use smb1_strip_dfs_path() in reply_open() smbd: use smb1_strip_dfs_path() in reply_open_and_X() smbd: use smb1_strip_dfs_path() in reply_mknew() smbd: use smb1_strip_dfs_path() in reply_ctemp() smbd: use smb1_strip_dfs_path() in reply_unlink() smbd: use smb1_strip_dfs_path() in reply_mkdir() smbd: use smb1_strip_dfs_path() in reply_rmdir() smbd: use smb1_strip_dfs_path() in reply_mv() smbd: use smb1_strip_dfs_path() in reply_mv() smbd: use smb1_strip_dfs_path() in call_trans2open() smbd: use smb1_strip_dfs_path() in call_trans2qpathinfo() smbd: use smb1_strip_dfs_path() in smb_set_file_unix_hlink() smbd: use smb1_strip_dfs_path() in call_trans2setpathinfo() smbd: use smb1_strip_dfs_path() in call_trans2mkdir() smbd: use smb1_strip_dfs_path() in reply_search() smbd: use smb1_strip_dfs_path() in call_trans2findfirst() smbd: RIP DFS pathname processing in filename_convert_dirfsp_nosymlink() smbd: squash check_path_syntax() variants CI: add a test creating a vetoed file smbd: Prevent creation of vetoed files rpcd_mdssvc: initialize POSIX locking CI: add a test that checks the dosmode of symlinks smbd: zero intialize SMB_STRUCT_STAT in vfswrap_readdir() smbd: also reset struct stat_ex.cached_dos_attributes in SET_STAT_INVALID() CI: add a test for fruit AppleDouble conversion when deletion triggers conversion vfs_fruit: return ENOENT instead of EISDIR when trying to open AFP_Resource for a directory vfs_fruit: never return AFP_Resource stream for directories libadouble: allow FILE_SHARE_DELETE in ad_convert_xattr() vfs_fruit: just log failing AppleDouble conversion vfs_fruit: add fruit:convert_adouble parameter smbd: call exit_server_cleanly() to avoid panicking smbd: don't leak the fsp if close_file_smb() fails Remi Collet (2): libsmb: fix regression on smbc_getxattr and fix doc libsmb: Fix test for smbc_getxattr Rob van der Linde (84): Python: remove pydoctor selftest: Fix some typos in selftest tests.py selftest: pep8: too many blank lines selftest: remove unused import selftest: specify env rather than picking it up from loop selftest: make two samba-tool drs tests generic selftest: fix flapping samba-tool drs showrepl test selftest: fix invalid loop variables uid and gid selftest: fix scope and attrs not passed to search selftest: fix typo in test comment selftest: fix mutable default arguments buildtools: fix mutable default arguments selftest: source4: fix mutable default arguments selftest: source3: fix mutable default arguments python: fix mutable default arguments netcmd: domain: turn domain.py into a module netcmd: domain: fix unused imports netcmd: domain: move domain_backup.py to domain/backup.py netcmd: domain: move classicupgrade command to domain/classicupgrade.py netcmd: domain: move dcpromo command to domain/dcpromo.py netcmd: domain: move demote command to domain/demote.py netcmd: domain: move functional_prep command to domain/functional_prep.py netcmd: domain: move info command to domain/info.py netcmd: domain: move join command to domain/join.py netcmd: domain: move keytab command to domain/keytab.py netcmd: domain: move leave command to domain/leave.py netcmd: domain: move level command to domain/level.py netcmd: domain: move paswordsettings command to domain/passwordsettings.py netcmd: domain: move provision command to domain/provision.py netcmd: domain: move samba3upgrade command to domain/samba3upgrade.py netcmd: domain: move schemaupgrade command to domain/schemaupgrade.py netcmd: domain: move tombstones command to domain/tombstones.py netcmd: domain: move trust command to domain/trust.py netcmd: simplify boolean check sd_utils: fix typo in get_sd_as_sddl docstring netcmd: add claim sub-commands to samba-tool domain netcmd: tests for claims client tool docs: update manpage for samba-tool CVE-2023-0922 set default ldap client sasl wrapping to seal dsdb: fix spelling in password_hash.c dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection dsdb: modify unicodePwd requires encrypted connection dsdb/tests: fix assignment to for loop variable s4/scripting: fix a few invalid docstring args s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py s4/dsdb: fix unnecessary backslash s4/scripting: fix % len(res) was in the wrong place netcmd: add optparse validators and Range validator netcmd: add custom json encoder for object type fields netcmd: add domain models and basic model layer netcmd: domain: add authentication silo commands netcmd: domain: tests for auth silo command line tools netcmd: domain: rename claim tests for consistency netcmd: domain: claim: show err if assertIsNone fails netcmd: domain: fix attributes created by test setUp method netcmd: domain: fix claims constant name was wrong should be claim type CN netcmd: domain: claim commands use the model layer netcmd: domain: claims: use consistent naming for options netcmd: PEP257 fix incorrect docstring quotes netcmd: move ldb_connect method to base class netcmd: fix import sort/grouping as per python standard netcmd: move method print_json to command base class netcmd: move get_policy method from base class to the model netcmd: domain: add test for silo if policy is a dn netcmd: auth silos: remove base class netcmd: domain: add models for ClassSchema and AttributeSchema netcmd: domain: claims: make use of AttributeSchema and ClassSchema models netcmd: domain: claims: move claim value type lookup by attribute to model netcmd: domain: claims: base class is no longer required netcmd: domain: remove parse_guid and parse_text as they are no longer used netcmd: domain: silo member add and remove does not write whole list netcmd: domain: model field tests netcmd: domain: silo member command tests netcmd: domain: man page updates for auth silo and policy cli netcmd: domain: model stores ldb message for save netcmd: domain: add model exceptions and error handling netcmd: domain: add error handling to domain auth commands netcmd: domain: add error handling to domain claims commands netcmd: add Subnet and Site models netcmd: add list and view commands for sites and subnets netcmd: sites: make use of ldb_connect from base class netcmd: sites: tests for list and view sites and subnet netcmd: sites: add missing subnet commands to samba-tool manpage netcmd: sites: add sites and subnet list and view commands to manpage SATOH Fumiyasu (5): build:wafsamba: Allow lib for CHECK_VALUEOF() build:waf: Check value of GNU_TLS_* with detected env selftest: Report "unknown environment" if setup returns "UNKNOWN" tests: Replace iconv(1) UTF-16LE conversion with a python3 call third_party: Fix version of socket_wrapper and uid_wrapper Samuel Cabrero (1): selftests: Make sure print queue is empty before printing_var_exp test ends Stefan Metzmacher (149): smbd: rename 'op' into 'global' in smbXsrv_open_cleanup_fn() winbindd: don't call set_domain_online_request() in the idmap child idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids idmap_hash: fix comments about the algorithm idmap_hash: remove unused error checks idmap_hash: we don't need to call idmap_hash_initialize() over an over again idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid idmap_hash: split out a idmap_hash_id_to_sid() helper function idmap_hash: split out a idmap_hash_sid_to_id() helper function idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache idmap_hash: remember new domain sids in idmap_hash_sid_to_id() libcli/security: introduce struct sddl_transition_state libcli/security: simplify rid-based SDDL sid strings libcli/security: simplify sddl_encode_sid() libcli/security: prepare sddl machine/forest_sid handling lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() replace: add ARRAY_INSERT_ELEMENT() helper libcli/security: prepare security_descriptor_acl_add() to place the ace at a position libcli/security: add security_descriptor_[s|d]acl_insert() helpers py_security: allow idx argument to descriptor.[s|d]acl_add() python/samba/ndr: add ndr_deepcopy() helper python:sd_utils: introduce update_aces_in_dacl() helper python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers samba-tool: rewrite dsacl.py to use the new sd_utils helpers s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In() s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022 s4:dsdb/tests: add more detailed tests to sec_descriptor.py libcli/security: rewrite calculate_inherited_from_parent() blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls s4:dsdb/tests: use changetype: modify in order to delete a single attribute python/tests: use changetype: modify in order to delete a single attribute schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete functional_prep: fix error handling in order to stop on the first error forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif() forest_update: only update SDDL for schema objects forest_update: we don't need any controls to update sddl attributes forest_update: make use of self.sd_utils.update_aces_in_dacl() forest_update: be more verbose about updates domain_update: be more verbose about updates domain_update: make use of '"CN"' in sddl instead of using an explicit SID domain_update: remove useless searches to '(objectClass=samDomain)' domain_update: make use of self.sd_utils.update_aces_in_dacl() lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix lib/ldb: re-order code in ldb_ldif_to_pyobject() python/samba: let modify_ldif() verify the changetype value lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif() lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif() python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md python/samba: adapt ms_schema[_markdown].py to the latest schema definitions setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md forest_update: behave more like a Windows 2022 server domain_update: implement updates 82-89 in order to reach the latest w2016 level python/samba: let get_domain_descriptor() include adprep 2016 ACEs samba-tool: allow 'domain level raise' to support level 2016 samba-tool: let 'domain functionalprep' to use functional level 2016 by default samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default samba-tool: let 'domain provision' to use the 2019 schema by default python:provision: run adprep as part of provision python:join: run domain adprep as part of join_provision_own_domain() s4:dsdb/tests: let linked_attributes.py use a container as testbase s4:dsdb/tests: let a test to demonstrate the behavior of invisible backlinks s4:dsdb/schema: remember if a backlink attribute is not allowed on class 'top' s3:dsdb/repl_meta_data: fix possible memleak on error in replmd_modify_la_add() s4:dsdb/repl_meta_data: check replmd_add_backlink() result in replmd_modify_la_add() s4:dsdb/util: split out dsdb_module_obj_by_guid() from dsdb_module_dn_by_guid() s4:dsdb/repl_meta_data: let replmd_process_backlink() use dsdb_module_obj_by_guid() s4:dsdb/repl_meta_data: let replmd_process_backlink() use the source_dn variable s4:dsdb/common: rename DSDB_RMD_FLAG_INVISIBLE to DSDB_RMD_FLAG_HIDDEN_BL s4:dsdb/repl_meta_data: let replmd_process_backlink() set DSDB_RMD_FLAG_HIDDEN_BL is needed s4:dsdb/objectclass_attrs: allow all backlinks even if not allowed by the schema s4:dsdb/extended_dn_out: make use of the existing have_reveal_control variable s4:dsdb/extended_dn_out: use dsdb_dn_val_rmd_flags() instead of dsdb_dn_is_deleted_val() s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default testprogs/blackbox: add test_net_ads_search_server.sh net_ads: fill ads->auth.realm from c->creds smbXsrv_tcon: avoid storing temporary (invalid!) records. vfs_fruit: avoid using 'conn->tcon->compat', we can just use 'conn'! selftest:Samba3: use the correct NSS_WRAPPER_HOSTNAME s3:locking: fix debug level for NT_STATUS_NOT_FOUND messanges in get_static_share_mode_data python:descriptor: add missing schema 2019 aces in builtin and dns partition librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms smb2_server: optimize SMB2_OP_KEEPALIVE (SMB2 Echo) smbprofile: add smbprofile_active() helper s3:smbd: only do profiling overhead in smbd_tevent_trace_callback() when needed smb2_server: use MSG_DONTWAIT to get non-blocking send/recvmsg lib/util: use RUNNING_ON_VALGRIND to check if valgrind is used lib/replace: check for valgrind/callgrind.h smb2_negprot: add CALLGRIND_START_INSTRUMENTATION after SMB2 negprot s4:torture/smb2: move benchmarking tests to bench.c s4:torture/smb2: add --option="torture:looplimit=150000" to smb2.bench.echo s4:torture/smb2: add smb2.bench.read test third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) selftest: run tests with LANGUAGE=en_US bootstrap: force use of LANGUAGE=en_US bootstrap: make sure we have gnutls-cli from gnutls-bin/gnutls-utils docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc functional level' samba-tool: check for invalid 'domain level' subcommands first samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn samba-tool: move some parts of 'domain level [show|raise]' in to try/except samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime vfs_aio_pthread: don't crash without a pthreadpool samba-tool/ntacl: let changedomsid ignore symlinks samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all samba-tool/ntacl: add set --verbose and print out the file/directory name samba-tool/ntacl: implement set --recursive testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh s4:kdc: handle passwords from the history in hdb_samba4_auth_status() s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0) s4:dsdb/tests: also verify too old, older password interaction with badPwdCount s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key() s4:kdc: adjust formatting of samba_kdc_update_pac() documentation s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() s4:kdc: clear client and device claims from trusts s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing .gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5 wb_dsgetdcname: don't use stack variables for async code s3:libads: re-initialize num_requests to 0 for cldap_ping_list retries s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list() s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}() s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1 s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop() s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS netlogon.idl: add support for netr_LogonGetCapabilities response level 2 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels netlogon.idl: add some comments to netr_OsVersionInfoEx ldapcmp: also ignore operatingSystem similar to operatingSystemVersion upgradeprovision: handle operatingSystem similar to operatingSystemVersion s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version] s4:pydsdb: add dc_operatingSystemVersion() helper s4:provision: use better values for operatingSystem[Version] talloc: release 2.4.1 Volker Lendecke (204): smbd: Use generate_nonce_buffer() in smbXsrv_open_global_allocate() smbd: Move smbXsrv_open_global_verify_record() down in smbXsrv_open.c smbd: Simplify smbXsrv_open_global_store() smbd: Make smbXsrv_open_global_allocate() store the record smbd: Use dbwrap_do_locked() in smbXsrv_open_global_allocate() smbd: Use dbwrap_do_locked() in smbXsrv_open_update() smbd: Use dbwrap_do_locked() in smbXsrv_open_close() smbd: Use dbwrap_do_locked() in smbXsrv_open_cleanup() smbd: let smbXsrv_open_cleanup() delete broken records smbd: Use dbwrap_do_locked() in smb2srv_open_recreate() smbd: Remove smbXsrv_open_global0->db_rec smbd: Use ISDOT() in dptr_create() lib: Simplify ms_has_wild() with strpbrk() lib: Fix a typo smbd: Simplify struct dptr_struct smbd: Simplify SeekDir() with an early return smbd: Remove dptr_struct->spid smbd: Remove dptr_struct->expect_close vfs: Fix whitespace in vfs_aixacl_util.c tests: Move libsmb-basic to fileserver_smb1 environment tests: Show that the case sensitive large dir optimization is broken smbd: Fix case normalization in for directories librpc: Make rpc_pipe_open_np() public and async librpc: Remove unused sync rpc_transport_np_init() torture3: test rpc scalability rpcd: Increase listening queue rpcd: Do blocking connects to local pipes rpcd: With npa->need_idle_server we can have more than 256 servers Fix a typo libsmb: Avoid a duplicate memset(.., 0, ..); vfs: Replace a "== false" with a "!" smbd: Fix a typo smbd: Remove a variable only ever set to NULL lib: Fix whitespace lib: librpc/gen_ndr/security.h needs DATA_BLOB libcli/security: Avoid includes.h libcli/util: Avoid an includes.h lib: Remove a talloc_stackframe() lib: Fix a typo lib: Move the dump_data_pw() prototype to the other dump_data_* ones lib: Add dump_data_addbuf() smbd: DBG_DEBUG raw create contexts received from the client smbd: Directly initialize a "fsp1" rpcd: Use size_t for walking an array build: Fix a long line libcli: Shrink .data segment by 43264 bytes libcli: Shrink .data segment by 43264 bytes librpc: Simplify dcerpc_default_transport_endpoint() libsmb: Convert cli_posix_stat_send/recv() to modern conventions winbind: Factor out idmap_config_name() winbind: Add idmap_config_string_list() idmap: Initialize struct idmap_ad_context idmap_ad: Add "deny ous" and "allow ous" options tests: Slightly simplify test_idmap_ad.sh test: Add a test for "deny ous" pyldb: Fix a copy&paste error, CID 1524512 DEADCODE torture3: Add tdb-validate test lib: Fix tdb_validate() for incorrect tdb entries smbd: Indicate posix pathnames if SMB311 POSX cc requested streams_depot: Create files when requested tests: Show that streams_depot and shadow_copy2 don't play together shadow_copy2: Fix stream open for streams_depot paths libsmb: Introduce type-safe struct cli_smb2_create_flags libsmb: Make cli_qpathinfo2_done() parse the results libsmb: Make cli_smb2_qpathinfo2() asynchronous libsmb: Slightly simplify smbc_init() libsmb: Avoid an explicit ZERO_STRUCTP with calloc libsmb: Simplify SMBC_add_cached_server() libsmb: Make setting errno safer in SMBC_add_cached_server() smbd: Fix a DBG statement libsmb: Adapt cli_echo_send() to modern conventions smbd: Save 488 bytes RSS libsmb: Return [MS-SMB2] 2.2.14 SMB2 CREATE Response flags field pylibsmb: Return "flags" in create_returns ldb: Add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition ldb: Allow extended operations through ildap ldb: Implement ldap_whoami in pyldb ldap_server: Implement the rfc4532 whoami exop tests: Test ldap whoami exop winbind: Test wbinfo -u with more than 1000 users winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users libcli: Add security_token_count_flag_sids() smbd: Use security_token_count_flag_sids() in open_np_file() librpc: Simplify dcerpc_is_transport_encrypted() rpc: Add global_sid_Samba_NPA_Flags SID rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle" rpc: Remove named_pipe_auth_req_info6->need_idle_server lib: Add security_token_del_npa_flags() helper function rpc_server3: Pass winbind_env_set() state through to rpcd_* tests: Make timelimit available to test scripts tests: Show that we 100% loop in cli_list_old_recv() libsmb: Fix directory listing against old servers smbd: Remove unused smb2_srv_send() smbd: Remove SMB_PERFCOUNT_ macros modules: Remove perfcount_test module smbd: Remove unused "pcd" arg from smb1_srv_send() smbd: Remove unused "deferred_pcd" from process_smb2() smbd: Remove unused "deferred_pcd" from construct_reply_chain() smbd: Remove unused "pcd" from struct smb_request smbd: Remove unused "deferred_pcd" from construct_reply() smbd: Remove unused "deferred_pcd" from process_smb1() smbd: Remove unused "deferred_pcd" from process_smb() smbd: Remove unused "pcd" from struct pending_message_list smbd: Remove smb1-only perfcount subsystem smbclient: Fix fd leak with "showacls;ls" smbd: Fix a typo smbd: Make SeekDir()/TellDir() static to dir.c smbd: Simplify make_dir_struct() smbd: Add dptr_FileNumber() smbd: Add dptr_RewindDir() smbd: Do an early talloc_free() in fsp_attach_smb_fname() smbd: Do an early talloc_free() in reply_search() smbd: Make reply_search() easier to understand smbd: Remove unused dptr_fill() and dptr_fetch_fsp() lib: Fix whitespace vfs: Fix a typo vfs: Modernize a few DEBUG statements vfs: Remove two "== true" smbd: Use ISDOT() in exact_match() testparm: Fix a typo conf: Fix wrong language in "dos charset" smb.conf.5 entry smbd: Modernize a few overlog DEBUG statements smbd: Remove unused "pst" parameter from dptr_SearchDir() smbd: Remove unused "poffset" parameter from dptr_SearchDir() smbd: Remove unused "poffset" parameter from SearchDir() smbd: Introduce "dir_hnd" helper variable in smbd_dirptr_get_entry() smbd: Apply some README.Coding to call_trans2findfirst/next() smbd: Use dptr_RewindDir() instead of dptr_SeekDir(.., 0) smbd: Eliminiate some dead code smbd: Slightly simplify smbd_dirptr_lanman2_entry()'s overflow logic smbd: Make get_dir_entry() static in SMB1-only code smbd: Avoid a few else branches in smb2_query_directory_next_entry() smbd: Simplify dptr_ReadDirName() smbd: Add smbd_dirptr_push_overflow() smbd: Avoid dptr_SeekDir() when overflowing the dir buffer smbd: Remove unused dptr_SeekDir() smbd: Remove unused _prev_offset arg from smbd_dirptr_get_entry() smbd: Add dptr_struct->last_name_sent smbd: Make dptr_ReadDirName() public smbd: Do the "skip to resume name" in call_trans2findnext() smbd: Remove unused dptr_SearchDir() and the dir cache smbd: Remove the offset argument from ReadDirName() vfs: Remove vfs telldir/seekdir functions libcli: Simplify dom_sid_dup() libcli: Simplify security_token_is_sid() smbd: Fix a typo docs: Remove seekdir/telldir reference smbd: Modernize a DEBUG statement in smbd_dirptr_get_entry() smbd: Remove references to get_Protocol() lib: Simplify two if-expressions winbind: Fix a typo lib: Add a few required #includes WHATSNEW: Mention removed "directory name cache size" parameter profiling: Factor out functions to read smbprofile.tdb rpc_server: Fix talloc hierarchy in _srvsvc_NetSrvGetInfo() libsmb: Add SMB1 posix cli_mknod pylibsmb: Add mknod() pylibsmb: Add smb1_stat() libsmb: Test smb1 mknod smbd: Remove "a heuristic to avoid seeking the dirptr" smbd: Remove a smb1-only optimization findfirst/findnext smbd: smbd_dirptr_lanman2_match_fn(): Remove "exact_match" handling smbd: Don't set security_descriptor_hash_v4->time smbd: Make sure smb_fname->st is valid in smbd_dirptr_get_entry smbd: Don't use "sbuf" in smbd_dirptr_get_entry() smbd: Remove unused "pst" argument from dptr_ReadDirName() smbd: Remove unused "sbuf" argument from ReadDirName() smbd: Remove unused "sbuf" argument from vfs_readdirname() vfs: Remove "sbuf" from readdir_fn() error_inject: map EROFS error_inject: Enable returning EROFS for O_CREAT tests: Show smbd returns wrong error code when creating on r/o fs smbd: Don't mask open error if fstatat() fails smbd: Slightly simplify smbd_dirptr_get_entry() smbd: Move dos_mode_from_name() up in dosmode.c smbd: Simplify dos_mode_msdfs() smbd: Apply some README.Coding to dos_mode_from_sbuf() smbd: Add read_symlink_reparse() smbd: Factor out full_path_extend() smbd: Lift up conn->cwd from openat_pathref_dirfsp_nosymlink() smbd: Fully fill in fsp in openat_pathref_fsp_nosymlink_internal() test: skip the open-eintr test smbd: Extend openat_pathref_dirfsp_nosymlink() smbd: Pass stat_ex and files_struct to dos_mode_from_sbuf() smbd: Pass "char*" to dos_mode_from_name() smbd: Pass name and stat_ex to dos_mode_msdfs() smbd: Modernize two DEBUG statements smbd: Introduce dir_fname helper var in smbd_dirptr_get_entry() smbd: Factor out full_path_from_dirfsp_at_basename() smbd: Rewrite smbd_dirptr_get_entry() smbd: Remove "atname" from smbd_dirptr_get_entry()'s mode_fn smbd: Factor out create_open_symlink_err() smbd: Merge openat_pathref_fsp_nosymlink() into _internal() utils3: Remove the "split_tokens" utility smbclient3: Use talloc_asprintf(), no explicit SAFE_FREE required smbd: Avoid a direct reference to smb_messages[] smbd: Save 76 bytes of .text tests: Enable a few tests for FreeBSD torture4: Fix an error message error_inject: Reduce indentation with an early return smbd: Fix a typo lib: Translate ENXIO to NT_STATUS_ILLEGAL_FUNCTION lib: Move IO_REPARSE_TAG_NFS subtypes to toplevel build: We don't need SEEKDIR_RETURNS_VOID baixiangcpp (1): lib:util: File descriptor being closed repeatedly. Łukasz Stelmach (2): Configure builtin heimdal to use KEYRING ccache bootstrap: Add a note about cleaning bootstrap/ ----------------------------------------------------------------------- -- Samba Shared Repository